The report by ICEBRG revealed that while these extensions are likely used to “conduct click fraud and/or search engine optimization (SEO) manipulation,” they can also provide “a foothold that the threat actors could leverage to gain access to corporate networks and user information.” The report added that workstations within major organizations globally were in the affected list. The list of these malicious Chrome extensions include:

The security firm started its investigation after it observed an unusual spike in outbound network traffic volume from a customer workstation. In that case, the traffic was associated with the domain ‘change-request[.]info’ and was generated from the Chrome extension named Change HTTP Request Header. The firm adds that while the extension itself doesn’t contain any malicious code – which is how they usually bypass security checks – attackers can eventually enable code injection and execute arbitrary JavaScript code via the extension.

This happens by using a permission. “By design, Chrome’s JavaScript engine evaluates (executes) JavaScript code contained within JSON,” researchers wrote. “Due to security concerns, Chrome prevents the ability to retrieve JSON from an external source by extensions, which must explicitly request its use via the Content Security Policy (CSP).”

When an extension does enable the ‘unsafe-eval’ permission to perform such actions, it may retrieve and process JSON from an externally-controlled server. This creates a scenario in which the extension author could inject and execute arbitrary JavaScript code anytime the update server receives a request.

While the researchers have assured that all the affected customers have been alerted and Google has removed the malicious Chrome extensions, they warned that “the use of third-party Chrome extension repositories may still allow the installation of the extensions.”

ICEBRG also added that during their research, they only noticed this particular threat actor using this capability to visit advertising domains for click fraud campaigns. While a lucrative industry in itself, this workaround could also be potentially used to visit any internal sites of the target network, “effectively bypassing perimeter controls that are meant to protect internal assets from external parties.”